Enable Strict transport security mvc

asp.net-mvc security iis-7

11,266

This header force the browser to use HTTPS. If the application has HTTP link given somewhere or if the user tries to enter URL with HTTP, the browser will redirect him to https. To use HSTS, the site need valid SSL certificate. The rewrite is not mandatory, but its good to have. Because, if the user first enter the site with https, then whenever he comes to the site, user will be automatically redirected until expiry, also the max age updates on each visit. But if user enters once in http mode, the STS may not work until he use the site in https once. Its better to use the rewrite.

<system.webServer>
<httpProtocol>
<customHeaders>
<add name=”Strict-Transport-Security” value=”max-age=xxxxxx”/>
</customHeaders>
</httpProtocol>
</system.webServer>

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

11,266

Author by

user1681166

Updated on June 04, 2022

Comments

user1681166 almost 2 years

I want to enable strict transport security. MY website is a https enable. Below is my code to enable hsts.

<system.webServer>
    <httpProtocol>
      <customHeaders>
     
          <add name="X-Frame-Options" value="SAMEORIGIN" />
          **<add name="Strict-Transport-Security" value="max-age=31536000"/>**
         .....
        </customHeaders>
    </httpProtocol>

Is above setting is enough to make strict transport security enable or do i also need to add below setting ie.

<rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
              redirectType="Permanent" />
        </rule>
      </rules> 
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security"
              pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000" />
        </rule>
      </outboundRules>
    </rewrite>

If both setting are mandatory then what is the need for rewrite can we enable hsts by only or by only rewrite .

Why rewrite is required.

This site says to add rewrite alogn with

<add name="Strict-Transport-Security" value="max-age=31536000"/>

user1681166 over 6 years

even if i dont use rewrite ,and if i try to use http ,it force browser to use https ie it automatically redirect to https without rewrite.
user1681166 over 6 years

What will happen if dont use rewrite
Chidambaram over 6 years

Without rewrite also, it will work. I did not use rewrite.. Just use the above code for sts, clear the browser cache, then type the url with http and you will land the site with http only. it will not redirect to https. Once you hit the url with https, then try to type http and try to enter the site, it will not allow you to access the site with http anymore. Again clear the cache and try http, it will allow then. Its just a value set for client browser. If you clear cache it will be gone.
Chidambaram over 6 years

If you dont use rewrite, there are possibility to land in http also. This is what observed in my application with same scenario.